a. Field of the Invention
The present disclosure generally relates to automatic defenses against software intended to damage or disable computers and computer systems, commonly called “malware.” More specifically, the present disclosure relates to systems and methods for identifying malware, particularly encrypting malware, and automatically responding to protect the integrity of attacked data and client systems.
b. Background Art
The state of the art in detecting that a particular target program is malware and stopping it are based upon either 1) the identity of the target program, or 2) the actions of the target program. Identity-based systems use techniques such as matching the target program or its support files against a list of suspicious names (or name patterns), or using binary “signatures” corresponding to known malware programs or routines to see whether similar routines are included in the target program. Signature matching can be effective against known malware programs, but it is difficult to detect new types of malware that have unique signatures. In addition, the current state of the art in malware creation randomizes the binary code in the malware program, evading simple signature detection, and can also be programmed to avoid being written to disk, making it necessary to perform costly active scanning of the running computer's memory.
Action-based systems use lists of various “risky” behaviors or properties to evaluate whether the target program is acting in a way that is more likely to be harmful. Certain operations, such as accessing the memory of other programs, certain system calls, etc. are more frequently associated with malware. A target program that engages in a sufficient number of “risky” or suspicious calls is identified as malware. However, action-based systems can suffer from a large number of false positives for certain types of legitimate programs, such as debuggers. In addition, it is hard to catch “malware-free” malware that acts by controlling system-level administrative facilities because legitimate system facilities are typically excluded by default.
A third strain of anti-malware seeks to maximize system integrity. These anti-malware tools, such as the program “Tripwire,” look at sensitive system files and alert the administrator when those sensitive files are changed. The presumption is that an absence of change is evidence of an absence of malware. While these programs are useful for helping maintain system integrity, however, they are less effective against user-targeting malware. User data changes far more frequently than sensitive system files, making a system bent on enforcing a lack of change ineffective for many purposes.
One notable area where many existing systems fail is in the case of encrypting malware. Encrypting malware replaces existing files with encrypted versions of the data, and usually includes some way to demand a “ransom” in exchange for the decryption key. These sorts of encrypting malware programs can evade signature-based checkers by encrypting or scrambling their own code, and their actions in accessing ordinary user data are typically outside the scope of what is considered “dangerous” by an action-based or file-integrity-based system.
The most recent advances in both identity and action-based systems use various machine learning and statistical techniques to determine whether the target program should be classified as malware. Different techniques can be used for different parts of the protected system, and a “defense in depth” approach can capture a number of different types of malware.
It is apparent, however, that current trends toward cloud-oriented computing and storage are likely to make the current state of the art systems much less effective. Cloud computing is likely to split processing between one or more client computers and one or more server computers, and the type of direct observation of potential malware and “protected” files will become inefficient if not impossible. Thus, a new and more distributed manner of protecting client computers against malware is needed.